Access control via properties system
Abstract
An access control via properties system provides ACL rules based on the properties associated with the entries, thereby taking advantage of the fact that there are inherent properties associated with each entry and does not require any changes to the schema. Once the server supports the invention, the system administrator creates a few simple ACL rules and is done. The invention structures the ACL rule such that it indicates the attributes that the administrator has selected for user access and specifies the type of access to be granted to a user which can include: read, write, or any other privileges that the system supports. The desired attributes that the user must have to be granted such access is also listed along with the attribute fieldname associated with the desired attributes. The directory server will match the desired attributes within the specified attribute fieldname with the user's attributes and allows access to the directory entry only if the user has the desired attribute values. Alternatively, a match function can be specified for the desired attributes where the directory server matches the desired attributes with the user and the owner of the list of attributes and allows access to the directory entry only if the both the user and the owner have the desired attribute values. When a user accesses a directory entry, the directory server selects and analyzes a specific access control command according to the attribute being accessed.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A process for a property-based access control language that controls access to directory entries in a computer environment, comprising the steps of:
providing a system administrator defined access control command;
said access control command lists the attribute values that said administrator has selected for user access;
said access control command specifies the type of access to be granted to a user; and
said access control command specifies the desired attribute values that said user must have to be granted said type of access;
wherein the specific attribute fieldname associated with said desired attributes is specified; and wherein the directory server matches said desired attributes of said specific attribute fieldname with said user's attributes and allows access only if said user has said desired attributes.
2. The process of claim 1 , wherein said type of access includes, but is not limited to: read, write, and any other privileges that the system supports.
3. The process of claim 1 , wherein the directory server selects and analyzes a specific access control command according to the attribute being accessed.
4. A process for a property-based access control language that controls access to directory entries in a computer environment, comprising the steps of:
providing a system administrator defined access control command;
said access control command lists the attribute values that said administrator has selected for user access;
said access control command specifies the type of access to be granted to a user; and
said access control command specifies the desired attribute values that said user must have to be granted said type of access;
wherein a match function is specified for said desired attributes; and wherein the directory server matches said desired attributes with said user and the owner of said list of attributes and allows access only if the two have said desired attributes.
5. An apparatus for a property-based access control language that controls access to directory entries in a computer environment, comprising:
a system administrator defined access control command;
said access control command lists the attribute values that said administrator has selected for user access;
said access control command specifies the type of access to be granted to a user; and
said access control command specifies the desired attribute values that said user must have to be granted said type of access;
wherein the specific attribute fieldname associated with said desired attributes is specified; and wherein the directory server matches said desired attributes of said specific attribute fieldname with said user's attributes and allows access only if said user has said desired attributes.
6. The apparatus of claim 5 , wherein said type of access includes, but is not limited to: read, write, and any other privileges that the system supports.
7. The apparatus of claim 5 , wherein the directory server selects and analyzes a specific access control command according to the attribute being accessed.
8. An apparatus for a property-based access control language that controls access to directory entries in a computer environment, comprising:
a system administrator defined access control command;
said access control command lists the attribute values that said administrator has selected for user access;
said access control command specifies the type of access to be granted to a user; and
said access control command specifies the desired attribute values that said user must have to be granted said type of access;
wherein a match function is specified for said desired attributes; and wherein the directory server matches said desired attributes with said user and the owner of said list of attributes and allows access only if the two have said desired attributes.
9. A program storage medium readable by a computer, tangibly embodying a program of instructions executable by the computer to perform method steps for a property-based access control language that controls access to directory entries in a computer environment, comprising the steps of:
providing a system administrator defined access control command;
said access control command lists the attribute values that said administrator has selected for user access;
said access control command specifies the type of access to be granted to a user; and
said access control command specifies the desired attribute values that said user must have to be granted said type of access;
wherein the specific attribute fieldname associated with said desired attributes is specified; and wherein the directory server matches said desired attributes of said specific attribute fieldname with said user's attributes and allows access only if said user has said desired attributes.
10. The process of claim 9 , wherein said type of access includes, but is not limited to: read, write, and any other privileges that the system supports.
11. The process of claim 9 , wherein the directory server selects and analyzes a specific access control command according to the attribute being accessed.
12. A program storage medium readable by a computer, tangibly embodying a program of instructions executable by the computer to perform method steps for a property-based access control language that controls access to directory entries in a computer environment, comprising the steps of:
providing a system administrator defined access control command;
said access control command lists the attribute values that said administrator has selected for user access;
said access control command specifies the type of access to be granted to a user; and
said access control command specifies the desired attribute values that said user must have to be granted said type of access;
wherein a match function is specified for said desired attributes; and wherein the directory server matches said desired attributes with said user and the owner of said list of attributes and allows access only if the two have said desired attributes.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.